Authenticating users based on S/MIME certificate

Authenticating users based on S/MIME certificate

am 21.09.2008 01:10:16 von Gunnar Vestergaard

Hi. I am an administrator of a user account at an Apache web server.
Currently the server is running Apache 1.3.37. My hosting provider plans
on switching to new hardware with possibly new software. So I don't know
if my web server will be run on Apache 1.3.37 or Apache 2.0.

My goal is to let visitors of my web site authenticate themselves to my
web server using some certificate, possibly S/MIME certificates.

Now, my current S/MIME certificate for personal e-mail is approved for
the following purposes:
Email Signer Certificate
Email Recipient Certificate

Is it possible to have such a certificate authenticate its user towards
an SSL web server? In any case I want to have a limited crowd of users
seeing a subdirectory of pages without bothering the user with a user
name/password dialog. Just their personal certificate lets them see
pages in a certain subdirectory.

As I understand the documentation for PHP, there is no means whereby PHP
can read and interpret an SSL client certificate. Is that correct?

Gunnar
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Authenticating users based on S/MIME certificate

am 22.09.2008 12:38:49 von Dave Sparks

Gunnar Vestergaard wrote:

> My goal is to let visitors of my web site authenticate themselves to
> my web server using some certificate, possibly S/MIME certificates.

> As I understand the documentation for PHP, there is no means whereby
> PHP can read and interpret an SSL client certificate. Is that correct?

It's possible to configure Apache 2 to add the client certificate to a
request header. From one of my configuration files:

RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \
^.*(-----BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-----(%0[Dd ])?%0[Aa].*%0[Aa]-----END%20\2CERTIFICATE-----(%0[Dd])?%0[Aa ]).*$
RewriteRule ^.*$ - [E=CLIENT_CERT:%1]

RequestHeader unset L-ClientCert

RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT

The certificate is %-encoded to avoid problems with newline characters.
Presumably PHP can use the string in the header to match the
certificate against a list of known certificates.

The certificate digest would be less unwieldy than the entire
certificate, but mod_ssl would need some simple changes to make the
digest available and I would be reluctant to use a hosting provider who
allowed customers to use a modified mod_ssl.


Dave Sparks

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Authenticating users based on S/MIME certificate

am 22.09.2008 20:36:53 von Matt Stevenson

Hi,

Have a look at mod_authz_ldap (ldap baseed white listing,
http://authzldap.othello.ch/). Probably far more than you need but it
does things along the same lines and has some nice notes how to do
various bits and pieces.

You can add env vars that you can use php have a look at SSLOptions +StdEnvVars and +ExportCertData.

Regards
Matt



----- Original Message ----
From: Gunnar Vestergaard
To: modssl-users@modssl.org
Sent: Sunday, September 21, 2008 12:10:16 AM
Subject: Authenticating users based on S/MIME certificate

Hi. I am an administrator of a user account at an Apache web server.
Currently the server is running Apache 1.3.37. My hosting provider plans
on switching to new hardware with possibly new software. So I don't know
if my web server will be run on Apache 1.3.37 or Apache 2.0.

My goal is to let visitors of my web site authenticate themselves to my
web server using some certificate, possibly S/MIME certificates.

Now, my current S/MIME certificate for personal e-mail is approved for
the following purposes:
Email Signer Certificate
Email Recipient Certificate

Is it possible to have such a certificate authenticate its user towards
an SSL web server? In any case I want to have a limited crowd of users
seeing a subdirectory of pages without bothering the user with a user
name/password dialog. Just their personal certificate lets them see
pages in a certain subdirectory.

As I understand the documentation for PHP, there is no means whereby PHP
can read and interpret an SSL client certificate. Is that correct?

Gunnar
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org